how to secure this from injection?

Question

the follow code does what i want to to but i guess the query needs to be BIND to protect it from injection etc.

this portion

if(!empty($filter_field))
{
    $order = "ORDER BY fees $filter_field";
}

as of now it does the job but i am sure it is vulnerable, can someone show me a better way to get it done?

here is my complete portion

$filter_field = $_GET['fees']; 

if(!empty($filter_field))
{
    $order = "ORDER BY fees $filter_field";
}

$query = "SELECT COUNT(*) FROM interviews $order";

if(empty($params))
{
    $stmt = $db->query($query);
}
else
{
    $stmt = $db->prepare($query);
    foreach($params as $param)
    {
        $stmt->bindValue($param[0],$param[1],$param[2]);
    }
    $stmt->execute();
}

$total = $stmt->fetchColumn();

$pages = ceil($total / $records_per_page);

$page = min($pages, filter_input(INPUT_GET, 'page', FILTER_VALIDATE_INT, array(
'options' => array(
'default'   => 1,
'min_range' => 1,
),
)));

$offset = ($page - 1)  * $records_per_page; 

$params[] = array(':records_per_page',$records_per_page, PDO::PARAM_INT);
$params[] = array(':offset',$offset, PDO::PARAM_INT);


$query = "SELECT * FROM interviews $order LIMIT :records_per_page OFFSET :offset";


if(empty($params))
{
    $stmt = $db->query($query);
}
else
{
    $stmt = $db->prepare($query);
    foreach($params as $param)
    {
        $stmt->bindValue($param[0],$param[1],$param[2]);
    }
    $stmt->execute();
}

$result = $stmt->fetchAll();

thank you for your kind help.